On Tue, Oct 04, 2011 at 10:37:43PM +0200, Peter Olsson wrote:
> Hello!
>> I hope this is the right list for this question.
> In FreeBSD 8.2, how do I make ntpd not open any
> IPv6 ports? I have searched man pages and google,
> but haven't found the answer. Some ntpd have the
> command line option -4, but that doesn't seem to
> be the case with FreeBSD ntpd.
>> The server runs IPv6, but ntpd will only ever be used
> with IPv4 servers, so I don't want any unnecessary
> open IPv6 ports for ntpd.
>> "Use restrict" or "Use a firewall" is not the answer.
> I just don't want this junk in netstat -an:
> udp6 0 0 fe80:3::1.123 *.*
> udp6 0 0 ::1.123 *.*
> udp6 0 0 x:x:x:x.123 *.*
> udp6 0 0 fe80:2::219:bbff.123 *.*
> udp6 0 0 fe80:1::219:bbff.123 *.*
> udp6 0 0 *.123 *.*
All our systems are built with WITHOUT_INET6=true in /etc/src.conf,
which (mostly, not entirely) removes IPv6 from most base system bits.
We also remove the "INET6" option in our kernel configs.
This works for ntpd, but only "functionally" works for rpcbind (I say
"functionally" because it still spits out "cannot get information for
{udp6,tcp6} when starting, but obviously does not bind to IPv6. I
believe I have an open PR on this matter).
Otherwise, to my knowledge, there is no way to make ntpd not bind to
everything it finds.
If you're wanting IPv6 support but want to exclude some daemons from
binding or utilising IPv6, you're out of luck. It's extremely hit-or-miss
on FreeBSD (mostly miss).
The only alternative is to use pf(4) to block inbound IPv6 packets to
port 123. This won't stop ntpd from talking to IPv6 peers, but would
stop people from talking to it, if that's what you're trying to solve.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, US |
| Making life hard for others since 1977. PGP 4BD6C0CB |